Switching

Hi guys.

I've been trying to limit the speed of incoming UDP traffic at EX4200 with no luck.

Please have a look at the following config.

# show firewall policer udp-ratelimit
filter-specific;
if-exceeding {
    bandwidth-limit 300m;
    burst-size-limit 10k;
}
then discard;

# show firewall family inet filter udp-rate-limit
term t1 {
    from {
        protocol udp;
    }
    then {
        policer udp-ratelimit;
        count UDP_all;
    }
}
term def {
    then accept;
}

# show interfaces vlan unit 1 family inet filter
input udp-rate-limit;

I've tested the connection using iperf (Linux utility) and rate limiting is not working at all.

What do I do wrong?

Were you able to use iperf to send more than 300 megs with bursts of 10 k to the vlan.1 interface? Try lowering the to number just to test, say about 5m and then gradually increase it just to at least ensure that it works.

Do a quick test. remove the policer action from the filter and see if it is counting the UDP packets.

---

@lyndidon wrote:

Were you able to use iperf to send more than 300 megs with bursts of 10 k to the vlan.1 interface? Try lowering the to number just to test, say about 5m and then gradually increase it just to at least ensure that it works.

Do a quick test. remove the policer action from the filter and see if it is counting the UDP packets.

---

I've already tried this with no luck.

You haven't mentioned how you are testing the rate limit, or what type of traffic you are trying to rate limit?

What you have configured there is a RACL which will apply to traffic received from vlan 1 if and only if it is being routed via the vlan.1 RVI (in other words, destined for an IP address NOT in that VLAN) - if this is what you are trying for does vlan.1 have an IP address?

If you are trying to rate-limit all ingress traffic into VLAN 1 from any port, to any other port, you will need to change your configuration to make it a VACL:

set firewall family ethernet-switching filter udp-rate-limit
...
set vlans v1 filter input udp-rate-limit

 Hope this helps

---

@dfex wrote:

You haven't mentioned how you are testing the rate limit, or what type of traffic you are trying to rate limit?

 

What you have configured there is a RACL which will apply to traffic received from vlan 1 if and only if it is being routed via the vlan.1 RVI (in other words, destined for an IP address NOT in that VLAN) - if this is what you are trying for does vlan.1 have an IP address?

 

If you are trying to rate-limit all ingress traffic into VLAN 1 from any port, to any other port, you will need to change your configuration to make it a VACL:

 

set firewall family ethernet-switching filter udp-rate-limit
...
set vlans v1 filter input udp-rate-limit

 Hope this helps

---

I have an IPv4 at the interface vlan.1 so the interface is an RVI. Thus I can't apply ethernet-switching family rules.

This IP address is a gateway for the whole network so all of the traffic is routed through vlan.1 interface.

If you are trying to rate-limit all ingress traffic into VLAN 1 from any port, to any other port, you will need to change your configuration to make it a VACL:

set firewall family ethernet-switching filter udp-rate-limit
...
set vlans v1 filter input udp-rate-limit

 Hope this helps

I have an IPv4 at the interface vlan.1 so the interface is an RVI. Thus I can't apply ethernet-switching family rules.

This IP address is a gateway for the whole network so all of the traffic is routed through vlan.1 interface.

The above suggestion from DFX is applied on the vlan not the vlan interface

---

@lyndidon wrote:

If you are trying to rate-limit all ingress traffic into VLAN 1 from any port, to any other port, you will need to change your configuration to make it a VACL:

---

Thank you! It works like a magic 🙂